Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The Latest in Cloud Computing Standards

Eric A. Hibbard, CTO Security and Privacy Hitachi - gave this presentation at our API and SOA workshop in conjunction with CSA

  • Login to see the comments

The Latest in Cloud Computing Standards

  1. 1. Latest in CloudComputing StandardsEric A. Hibbard, CISSP, ISSAP, ISSEP, ISSMP, CISA, SCSECTO Security & PrivacyHitachi Data systems 1
  2. 2. Standards Alphabet Soup • CSA = Cloud Security Alliance • DMTF = Distributed Management Task Force • ENISA = European Network and Information Security Agency • ETSI = European Telecommunications Standards Institute • IEC = International Electrotechnical Commission • IEEE = Institute of Electrical and Electronics Engineers • INCITS = International Committee for Information Technology Standards • ISO = International Organization for Standardization • ITU-T = International Telecommunication Union – Telecom • NIST = National Institute for Standards and Technology • OASIS = Organization for the Advancement of Structured Information Standards • SNIA = Storage Networking Industry Association • TCG = Trusted Computing Group 2
  3. 3. Sample Cloud SDO Relationships CT-CC ITU-T CSA ISO/IEC ISO/IEC ENISA SC27 SC38 TCG INCITS/ INCITS/ CS1 DAPS38 IEEE NIST SNIA DMTF 3 Formal Informal
  4. 4. Standards & Glaciers…Similar Pace 4
  5. 5. Cloud Computing…cloud computing: paradigm for enabling [ubiquitous,convenient, on-demand] network access to a sharedpool of configurable cloud resources (3.2.4) accessedthrough services (3.1.8), that can be [rapidly]provisioned and released [with minimal managementeffort or service provider interaction.] SOURCE: ISO/IEC 2ndCD 17788 5
  6. 6. ISO/IEC JTC 1/SC 38 • SC38 = Information Technology – Distributed Application Platforms & Services • ISO/IEC 17788 (Cloud computing – Vocabulary and overview) • Collaborative Team (CT) with ITU-T/SG13 to develop common text • Defines key cloud terminology and provides an overview of cloud computing • Intended to be a foundation document for cloud computing • Stage: 2nd Committee Draft (CD) • ISO/IEC 17789 (Reference architecture) • Collaborative Team (CT) with ITU-T/SG13 to develop common text • Covers general concepts and characteristics of cloud computing, the components/functions and roles and their capabilities and inter-relationships • Focused on the requirements of ―what Cloud services provide, not ―how to design solutions and implementations • Stage: Working Draft (CD) 6 • Under Consideration: • Service Delivery Principles and Service Level Agreements
  7. 7. ITU-T/Study Group 13 (SG13) • Future networks including cloud computing, mobile and next- generation networks • Y.ccdef – Cloud computing definition and vocabulary • Y.cceco – Cloud computing: ecosystem, use cases and general requirements • Y.Cloud-SIDE-Reqts – High level requirements and capabilities for cloud enabled service environment • Y.ccic – Framework of inter-cloud for network and infrastructure • Y.ccinfra – Cloud computing infrastructure requirements • Y.ccra – Cloud computing reference architecture • Y.e2eccrmr – End-to-end cloud computing resources management requirements • Y.VNC – Resource control and management for virtual networks for cloud 7 services (VNCs)
  8. 8. ITU-T/Study Group 17 (SG17) • Security • X.ccsec – High-level security framework for cloud computing • X.goscc – Guidelines of operational security for cloud computing • X.sfcse – Security functional requirements for Software as a Service (SaaS) application environment • X.idmcc – Requirement of IdM in cloud computing 8
  9. 9. ISO/IEC JTC 1/SC27• SC27 = Information Technology – Security techniques• ISO/IEC 27017 (Code of practice for information security controls for cloud computing services based on ISO/IEC 27002) • Additional implementation guidance for relevant information security controls specified in ISO/IEC 27002; and • Additional controls and implementation guidance that specifically relate to cloud computing services. • Technical Report => International Standard • Stage: 4th Working Draft (WD)• ISO/IEC 27018 (Code of practice for data protection controls for public cloud computing services) • Applies to organizations providing public cloud computing services that act as PII processors (possibly PII controllers) • Establishes commonly accepted control objectives, controls and guidelines for implementing controls to protect 9 • Stage: 2nd Working Draft (WD)
  10. 10. ISO/IEC JTC 1/SC27 (cont.) • ISO/IEC 27040 (Storage security) • Overview of storage security concepts and related definitions • Guidance on the threat, design and control aspects associated with typical storage scenarios and storage technology areas • Limited coverage for cloud storage (e.g., CDMI) • Stage: 2nd Committee Draft (CD) • Numerous other security standards that are potentially relevant! 10
  11. 11. Standards Setting Organizations(SSO) & Industry Associations 11
  12. 12. NIST – Information Technology Laboratory • Special Publication 800-144, Guidelines on Security and Privacy in Public Cloud Computing • Special Publication 800-145, The NIST Definition of Cloud Computing • Special Publication 800-146, Cloud Computing Synopsis and Recommendations • Special Publication 500-291, NIST Cloud Computing Standards Roadmap • Special Publication 500-292, NIST Cloud Computing Reference Architecture • Special Publication 500-293, (Draft). US Government Cloud Computing Technology. • Interagency Report 7904, (Draft) Trusted Geolocation in the Cloud: Proof of Concept Implementation 12
  13. 13. Cloud Security Alliance (CSA) • Security Guidance for Critical Areas of Focus in Cloud Computing • Open Certification Framework • Cloud Controls Matrix (CCM) • Trusted Cloud Initiative (TCI) Reference Architecture Model • Top Threats to Cloud Computing • Security as a Service (SecaaS) Implementation Guidance 13
  14. 14. OASIS• Cloud Application Management for Platforms (CAMP)• Identity in the Cloud (IDCloud)• Symptoms Automation Framework (SAF)• Topology and Orchestration Specification for Cloud Applications (TOSCA)• Cloud Authorization (CloudAuthZ)• Public Administration Cloud Requirements (PACR) 14
  15. 15. Other Cloud Activities of SSOs & IAs • IEEE Standards Association (IEEE-SA) • P2301 - Guide for Cloud Portability and Interoperability Profiles (CPIP) • P2302 - Standard for Intercloud Interoperability and Federation (SIIF) • Internet Engineering Task Force (IETF) • RFC 6208 – Cloud Data Management Interface (CDMI) Media Types • Huge number of RFCs that enable the cloud. • Trusted Computing Group (TCG) • Trusted Multi-Tenant Infrastructure (TMI) Use Cases • Trusted Multi-tenant Infrastructure (TMI) Specification [Goal] • Storage Network Industry Association (SNIA) • Cloud Data Management Interface (CDMI) specification • ISO/IEC 17826: 2012, Information technology -- Cloud Data 15 Management Interface (CDMI) [CDMI v1.0.2]
  16. 16. Other Cloud Activities of SSOs & IAs • The Open Group • Service-oriented Cloud Computing Infrastructure (SOCCI) Framework • Cloud Computing Reference Architecture (CCRA) • Distributed Management Task Force (DMTF) • DSP0243 Open Virtualization Format (OVF) • ISO/IEC 17203:2011, Information technology -- Open Virtualization Format (OVF) specification • DSP0263 Cloud Infrastructure Management Interface (CIMI) Model and REST Interface over HTTP Specification • DSP0264 CIMI-CIM Specification 16
  17. 17. Final Thoughts • A significant number of the cloud computing standards and specifications are still in draft form • There are many organization operating in this space, but it does appear there are conscious efforts to avoid duplication and contradiction • It is unlikely that a single, all-encompassing standard (or source for standards) will emerge for cloud 17
  18. 18. eric.hibbard@hds.comTHANK YOU 18